Archive for the ‘Alerts’ Category

A trojan horse virus is spreading across the Internet that encrypts Word documents, spreadsheets, and databases. It then leaves a file demanding $300 in return for the password necessary to decrypt the ransomed files. However, Technicians at Sophos have extracted the password (yes, it looks like a path name):

C:\Program Files\Microsoft \Visual Studio\VC8

This kind of attack seems to be growing. So keep those anti-virus and firewall programs up-to-date.

“The unpatched CreateTextRange vulnerability in Internet Explorer is already being used by at least one Web site to install spyware on users’ machines, a security organization said Friday.

“‘We just received a report that a particular site uses the vulnerability to install a spybot variant,’ the SANS Institute’s Internet Storm Center (ISC) warned Friday in an alert. ‘It is a minor site with insignificant visitor numbers according to Netcraft’s ‘Site rank.’”

“A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files.

“The flaws lie in the open-source GNU Privacy Guard software, also known as GnuPG and GPG, the GnuPG group said in two alerts. The software, a free replacement for the Pretty Good Privacy cryptographic technology, ships with many open-source operating systems such as FreeBSD, OpenBSD and many Linux distributions” (By Joris Evers, CNET News.com Published on ZDNet News: March 10, 2006, 2:38 PM PT).

“Security researchers have uncovered new techniques to hide the presence of malware on infected systems. By hiding rootkit software in virtual machine environments, hackers have the potential to avoid detection by security software, boffins at Microsoft Research and the University of Michigan warn” (John Leyden, published 13 March 2006 in The Register).

“An anti-virus vendor warned Tuesday that two new worms spreading on Microsoft’s and America Online’s instant messaging networks delete files and leave systems open to hijacking.

“Symantec posted alerts for the “Hotmatom” and “Maniccum” worms, and ranked both as a level “2″ threat. The Cupertino, Calif.-based security company uses a 1 through 5 scale to label worms, viruses, and Trojans”

As I’ve written in previous articles, the frequency of malicious rootkit installations is increasing. Now it seems that even the BIOS is a potential target. John Heasman, principle security consultant for Next-Generation Security Software, announced this week that a collection of functions known as the Advanced Configuration and Power Interface (ACPI) could be used to deposit a rootkit in the BIOS in flash memory. This is rather easy to do, said Heasman, because the ACPI has a high level programming language that’s easy to learn and easy to use.

When I read this story, which was covered on almost every security web site, I was initially concerned. Who wouldn’t be? The BIOS is the most fundmental layer of functionality in any PC. But the more I thought about it, the more I wondered about how much risk a BIOS rootkit actually presents to a business network. After some research, I concluded that the risk is very low for businesses that take normal precautions.

In this article, we’ll look at rootkit technology, how engineers or programmers flash the BIOS, the typical safeguards protecting BIOS access, and what you can do to protect your business from BIOS rootkit issues.

US-CERT is aware of a new mass-mailing worm known as Nyxem (CME-24). This worm relies on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

The Nyxem worm targets Windows systems that hide file extensions for known file types (this is the default setting for Windows XP and possibly other versions). The worm’s icon makes it appear to be a WinZip file. As a result, the user may unknowingly start the worm.

Once a Windows system is infected, the malicious code may:

Attempt to harvest email addresses stored on the infected system

Utilize its own SMTP engine to send itself to the harvested email addresses

Disable anti-virus and file sharing programs

Spread itself using all available Windows network shares on the infected system

Modify the active Desktop

In addition, on February 3, 2006, the worm will destroy files with the following extensions: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DM.

Although there is limited information concerning this potential threat, US-CERT strongly encourages users and system administrators to implement the following workarounds:

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. Users may also wish to visit the US-CERT Computer Virus Resources for general virus protection information.